(PDF) Extending Commutativity via Safe Abstraction

Extending Commutativity via Safe Abstraction

Dominik Klumpp

University of Freiburg

joint work with: Azadeh Farzan (University of Toronto)

Andreas Podelski (University of Freiburg)

PLDI 2022

1

Commutativity

Statements st1and st2commute

iﬀ

neither statement writes a variable accessed by the other

(“disjoint” variable accesses)

for all programs and wrt. all properties

Formally: read(st1)∩write(st2) = write(st1)∩read(st2) = write(st1)∩write(st2) = ∅

abstract irrelevant details preserve relevant details

2

Commutativity

Statements st1and st2commute

iﬀ

the order of execution does not matter

(st1st2behaves exactly like st2st1)

for all programs and wrt. all properties

Formally: read(st1)∩write(st2) = write(st1)∩read(st2) = write(st1)∩write(st2) = ∅

abstract irrelevant details preserve relevant details

2

Commutativity

Statements st1and st2commute

iﬀ

the order of execution does not matter

(st1st2behaves exactly like st2st1)

for all programs and wrt. all properties

Formally: Jst1st2K=Jst2st1K

abstract irrelevant details preserve relevant details

2

Commutativity

Statements st1and st2commute

iﬀ

the order of execution does not matter

(st1st2behaves exactly like st2st1)

for all programs and wrt. all properties

Formally: Jst1st2K=Jst2st1K

abstract irrelevant details preserve relevant details

2

Commutativity

Statements st1and st2commute

iﬀ

the order of execution does not matter

(st1st2behaves similar enough to st2st1)

for a given program and property

Formally: Jst1st2K=Jst2st1K

abstract irrelevant details preserve relevant details

3

Commutativity

Statements st1and st2commute

iﬀ

the order of execution does not matter

(st1st2behaves similar enough to st2st1)

for a given program and property

Formally: Jst1st2K=Jst2st1K

abstract irrelevant details preserve relevant details

3

Commutativity

Statements st1and st2commute

iﬀ

the order of execution does not matter

(st1st2behaves similar enough to st2st1)

for a given program and property

Formally: Jst1st2K=Jst2st1K

abstract irrelevant details preserve relevant details

3

Commutativity

Statements st1and st2commute

iﬀ

the order of execution does not matter

(st1st2behaves similar enough to st2st1)

for a given proof

Formally: Jst1st2K=Jst2st1K

abstract irrelevant details preserve relevant details

3

Safe Commutativity

P⊆[Π]I

Pis correct

Icommutativity ICbased on (concrete) semantics: safe wrt. all Π

IHow to get safe commutativity for a particular proof Π?

Iis safe wrt. Π

4

Safe Commutativity

P⊆[Π]I[Π]I⊆correct

Pis correct

Icommutativity ICbased on (concrete) semantics: safe wrt. all Π

IHow to get safe commutativity for a particular proof Π?

Iis safe wrt. Π

4

Safe Commutativity

P⊆[Π]I[Π]I⊆correct

Pis correct

Icommutativity ICbased on (concrete) semantics: safe wrt. all Π

IHow to get safe commutativity for a particular proof Π?

Iis safe wrt. Π

4

Safe Commutativity

P⊆[Π]I[Π]I⊆correct

Pis correct

Icommutativity ICbased on (concrete) semantics: safe wrt. all Π

IHow to get safe commutativity for a particular proof Π?

Iis safe wrt. Π

4

Safe Commutativity

P⊆[Π]I[Π]I⊆correct

Pis correct

Icommutativity ICbased on (concrete) semantics: safe wrt. all Π

IHow to get safe commutativity for a particular proof Π?

Iis safe wrt. Π

4

Safe Abstraction

Let α:Stmt →Stmt.

Iα:= {(st1, st2)|α(st1), α(st2)∈IC}

Theorem (Safety)

If αsatisﬁes

Iabstraction: JstK⊆Jα(st)Kfor all st

Ipreservation: {ϕ}α(st){ψ}is valid, for all {ϕ}st{ψ} ∈ Π

then Iαis safe wrt. Π.

5

Safe Abstraction

Let α:Stmt →Stmt.

Iα:= {(st1, st2)|α(st1), α(st2)∈IC}

Theorem (Safety)

If αsatisﬁes

Iabstraction: JstK⊆Jα(st)Kfor all st

Ipreservation: {ϕ}α(st){ψ}is valid, for all {ϕ}st{ψ} ∈ Π

then Iαis safe wrt. Π.

5

Safe Abstraction

Let α:Stmt →Stmt.

Iα:= {(st1, st2)|α(st1), α(st2)∈IC}

Theorem (Safety)

If αsatisﬁes

Iabstraction: JstK⊆Jα(st)Kfor all st

Ipreservation: {ϕ}α(st){ψ}is valid, for all {ϕ}st{ψ} ∈ Π

then Iαis safe wrt. Π.

5

Instance: Variable-Based Abstraction

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

Istatements ˆ= transition formulae

Iexistentially quantify variables not mentioned in proof

Example

Let Π = {>} y:=x+x {y6= 1}. Then

αΠ(y:=x+x ) : “assign yto some even value (nondet.)”

αΠ(x:=0 ) : “do not change y”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

6

Instance: Variable-Based Abstraction

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

Istatements ˆ= transition formulae

Iexistentially quantify variables not mentioned in proof

Example

Let Π = {>} y:=x+x {y6= 1}. Then

αΠ(y:=x+x ) : “assign yto some even value (nondet.)”

αΠ(x:=0 ) : “do not change y”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

6

Instance: Variable-Based Abstraction

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

Istatements ˆ= transition formulae

Iexistentially quantify variables not mentioned in proof

Example

Let Π = {>} y:=x+x {y6= 1}. Then

αΠ(y:=x+x ) : “assign yto some even value (nondet.)”

αΠ(x:=0 ) : “do not change y”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

6

Instance: Variable-Based Abstraction

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

Istatements ˆ= transition formulae

Iexistentially quantify variables not mentioned in proof

Example

Let Π = {>} y:=x+x {y6= 1}. Then

αΠ(y:=x+x ) : “assign yto some even value (nondet.)”

αΠ(x:=0 ) : “do not change y”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

6

Instance: Variable-Based Abstraction

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

Istatements ˆ= transition formulae

Iexistentially quantify variables not mentioned in proof

Example

Let Π = {>} y:=x+x {y6= 1}. Then

αΠ(y:=x+x ) : “assign yto some even value (nondet.)”

αΠ(x:=0 ) : “do not change y”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

6

Instance: Variable-Based Abstraction

Idea: Variable xdoes not occur in the proof ⇒Ignore xwhen determining commutativity

Abstraction:

Istatements ˆ= transition formulae

Iexistentially quantify variables not mentioned in proof

Example

Let Π = {>} y:=x+x {y6= 1}. Then

αΠ(y:=x+x ) : “assign yto some even value (nondet.)”

αΠ(x:=0 ) : “do not change y”

Now: αΠ(y:=x+x )commutes with αΠ(x:=0 ).

6

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Instance: Variable-Based Abstraction

Proposition: Variable-based abstraction is safe (it satisﬁes abstraction and preservation).

Advantages:

Ioften allows additional commutativity

Iabstraction easy to compute

Limitations:

Itheoretically: may lose commutativity

Ipractically: quantiﬁers are challenging

Generally: abstract commutativity +concrete commutativity

Solution: combine abstract with concrete commutativity

7

Combining Commutativity Relations

Observation: Union of safe commutativity relations may be unsafe!

Example:

Iprecondition: >

Ipostcondition: z= 2

Iproof Π:{>} x:=1 {>} x==1;z:=1 {>} x==2;z:=2 {z= 2}

x:=1 x==1;z:=1 x==2;z:=2 ∼ICx:=1 x==2;z:=2 x==1;z:=1

∼IαΠx==2;z:=2 x:=1 x==1;z:=1

8

Combining Commutativity Relations

Observation: Union of safe commutativity relations may be unsafe!

Example:

Iprecondition: >

Ipostcondition: z= 2

Iproof Π:{>} x:=1 {>} x==1;z:=1 {>} x==2;z:=2 {z= 2}

x:=1 x==1;z:=1 x==2;z:=2 ∼ICx:=1 x==2;z:=2 x==1;z:=1

∼IαΠx==2;z:=2 x:=1 x==1;z:=1

8

Combining Commutativity Relations

Observation: Union of safe commutativity relations may be unsafe!

Example:

Iprecondition: >

Ipostcondition: z= 2

Iproof Π:{>} x:=1 {>} x==1;z:=1 {>} x==2;z:=2 {z= 2}

x:=1 x==1;z:=1 x==2;z:=2

∼ICx:=1 x==2;z:=2 x==1;z:=1

∼IαΠx==2;z:=2 x:=1 x==1;z:=1

8

Combining Commutativity Relations

Observation: Union of safe commutativity relations may be unsafe!

Example:

Iprecondition: >

Ipostcondition: z= 2

Iproof Π:{>} x:=1 {>} x==1;z:=1 {>} x==2;z:=2 {z= 2}

x:=1 x==1;z:=1 x==2;z:=2 ∼ICx:=1 x==2;z:=2 x==1;z:=1

∼IαΠx==2;z:=2 x:=1 x==1;z:=1

8

Combining Commutativity Relations

Observation: Union of safe commutativity relations may be unsafe!

Example:

Iprecondition: >

Ipostcondition: z= 2

Iproof Π:{>} x:=1 {>} x==1;z:=1 {>} x==2;z:=2 {z= 2}

x:=1 x==1;z:=1 x==2;z:=2 ∼ICx:=1 x==2;z:=2 x==1;z:=1

∼IαΠx==2;z:=2 x:=1 x==1;z:=1

8

Combining Commutativity Relations

Combination through new proof rule:

P⊆

h

[Π]Iα

iIC

safeΠ(Iα)

Pis correct

Make it decidable with preference orders:

Seq(P, , Iα, IC)⊆Π

P⊆h[Π]IαiIC

9

Combining Commutativity Relations

Combination through new proof rule:

P⊆h[Π]IαiICsafeΠ(Iα)

Pis correct

Make it decidable with preference orders:

Seq(P, , Iα, IC)⊆Π

P⊆h[Π]IαiIC

9

Combining Commutativity Relations

Combination through new proof rule:

P⊆h[Π]IαiICsafeΠ(Iα)

Pis correct

Make it decidable with preference orders:

Seq(P, , Iα, IC)⊆Π

P⊆h[Π]IαiIC

9

Beyond Two Relations

Seq(P, , I1, . . . , In)⊆Π

P⊆h. . . [Π]I1. . . iIn

P⊆h. . . [Π]I1. . . iIn∀i . safeΠ(Ii)I1c. . . cIn

Pis correct

“more abstract than”

10

Beyond Two Relations

Seq(P, , I1, . . . , In)⊆Π

P⊆h. . . [Π]I1. . . iIn

P⊆h. . . [Π]I1. . . iIn∀i . safeΠ(Ii)I1c. . . cIn

Pis correct

“more abstract than”

10

Beyond Two Relations

Seq(P, , I1, . . . , In)⊆Π

P⊆h. . . [Π]I1. . . iIn

P⊆h. . . [Π]I1. . . iIn∀i . safeΠ(Ii)I1c. . . cIn

Pis correct

“more abstract than”

10

Beyond Two Relations

Seq(P, , I1, . . . , In)⊆Π

P⊆h. . . [Π]I1. . . iIn

P⊆h. . . [Π]I1. . . iIn∀i . safeΠ(Ii)I1c. . . cIn

Pis correct

“more abstract than”

10

Summary

For automated veriﬁcation, extend commutativity for given program and property

IChallenge I: remain sound wrt. a proof (safe commutativity)

IChallenge II: overcome potential loss of commutativity (combine relations)

Safe Abstraction yields safe commutativity, for instance: variable-based abstraction

algorithmic approach to soundly combine multiple relations

Questions?

11

Summary

For automated veriﬁcation, extend commutativity for given program and property

IChallenge I: remain sound wrt. a proof (safe commutativity)

IChallenge II: overcome potential loss of commutativity (combine relations)

Safe Abstraction yields safe commutativity, for instance: variable-based abstraction

algorithmic approach to soundly combine multiple relations

Questions?

11

Summary

For automated veriﬁcation, extend commutativity for given program and property

IChallenge I: remain sound wrt. a proof (safe commutativity)

IChallenge II: overcome potential loss of commutativity (combine relations)

Safe Abstraction yields safe commutativity, for instance: variable-based abstraction

algorithmic approach to soundly combine multiple relations

Questions?

11

Summary

For automated veriﬁcation, extend commutativity for given program and property

IChallenge I: remain sound wrt. a proof (safe commutativity)

IChallenge II: overcome potential loss of commutativity (combine relations)

Safe Abstraction yields safe commutativity, for instance: variable-based abstraction

algorithmic approach to soundly combine multiple relations

Questions?

11

Summary

For automated veriﬁcation, extend commutativity for given program and property

IChallenge I: remain sound wrt. a proof (safe commutativity)

IChallenge II: overcome potential loss of commutativity (combine relations)

Safe Abstraction yields safe commutativity, for instance: variable-based abstraction

algorithmic approach to soundly combine multiple relations

Questions?

11

Summary

For automated veriﬁcation, extend commutativity for given program and property

IChallenge I: remain sound wrt. a proof (safe commutativity)

IChallenge II: overcome potential loss of commutativity (combine relations)

Safe Abstraction yields safe commutativity, for instance: variable-based abstraction

algorithmic approach to soundly combine multiple relations

Questions?

11

Extending Commutativity via Safe Abstraction

Recommended publications

Some homological properties of amalgamation

Eigenvalue topology of non-Hermitian band structures in two and three dimensions

Impressions of convexity - An illustration for commutator bounds

Partial Commutation on Some Classes of 2D Picture Languages